Web Application Security Scenarios

We organize our scenarios for key problem areas into a frame. We use the scenarios to figure out where customers need more help, and to test how well the guidance, tools, and platform address the problems.

Hot Spots

Auditing

Logging

Authentication

Authorization

Code Access Security

Communication

Data Access

Deployment Considerations

Exception Management

Sensitive Data

Session Mgmt

Validation

Frame

Hot Spot

Key Decisions

Auditing

* How to identify the sink for auditing.

* How to identify the operations and events to be logged.

* How to identify the content or information to be logged.

* How to secure to audit files / store.

* How to archive audit information.

* How to handle audit failures.

* How to avoid storing sensitive information in audit files.

Logging

* How to provide the necessary information for debugging cloud applications.

* How to use platform features to log debugging information without impacting application performance.

* How to handle sensitive information in debug logs.

* How to ascertain and send health status information.

Authentication

* How to identify trust boundaries within Web application layers for authentication.

* How to authenticate your users and pass authenticated identities across the layers.

* How to use windows authentication in a web app.

* How to use forms authentication in a web app.

* How to authenticate with Live ID.

* How to authenticate mobile users.

* How to prevent brute force attacks

* How to use an foreign identity provider logon page (i.e., How to redirect to an STS from a browser.)

Authorization

* How to identify trust boundaries within the Web application layers for authorization.

* How to decide granularity of authorization settings.

* How to federate claims.

* How to use resource authorization.

* How to use URL authorization.

* How to use roles authorization.

* How to ensure Least Privileged implementation.

* How to use Azure tables as a roles store.

* How to authorize access to Azure tables, queues, and blobs.

* How to prevent your application from relying on administrative privileges it will not have in the cloud.

Code Access Security

* How to create custom trust policy for your web application.

* Under what circumstances should Worker and Web roles run under partial trust (default).

* Under what circumstances should Worker and Web roles run under full trust.

Communication

* How to choose protocol, security and communication-style for communication between web application layers.

* How to secure any sensitive data that is sent across the network.

* How to choose between message security and transport security.

* How to secure inter-role (IPC) comm.

* How to handle interruptions in access to cloud applications.

* How to interact with non cloud applications that require fixed IP address.